Add check for disabled CSRF protection in Spring

[ggolawski]

Spring has built-in CSRF protection. However, it's possible to disable it, which most likely makes the application vulnerable to Cross-Site Request Forgery (CWE-352).

Spring CSRF protection can be disabled via Java configuration (more details here):

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  @Override
  protected void configure(HttpSecurity http) {
    http
      .csrf(csrf ->
        csrf.disable()
      );
  }
}

This PR adds a CodeQL check which finds all invocations of CsrfConfigurer.disable() method.

[ghost]

All committers have signed the CLA.

[felicitymay]

Thanks for including a help file with your query. Generally it looks good but I've made a few suggestions with the aim of simplifying the English (shorter sentence) and clarifying a few things.

[ggolawski]

Thanks for reviewing this PR. I applied your suggestions.

[felicitymay]

Thanks for those changes. On re-reading the qhelp file, I realized that one of my suggestions had removed the context from the start of the Recommendation section. 😞

I've made a suggestion to fix this. Apart from this issue, the text looks ready to merge.

[aschackmull]

Could you also run autoformat on the QL code? (That's available in the right-click menu in VSCode)

[ggolawski]

I corrected the help and formatted the QL code.

[felicitymay]

Thanks for correcting the help 😄